Version 13 (modified by 9 years ago) (diff) | ,
---|
Contents
Directory Auth Plugin
Description
The Directory Auth Plugin is a password store for the AccountManagerPlugin that provides authentication and groups from Lightweight Directory Access Protocol (LDAP) enabled service including OpenLdap, ActiveDirectory and OpenDirectory.
Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the session_attribute
table.
Features
- Can use a service account to do lookups, or anonymous binding.
- Can use SSL if openssl is configured correctly.
- Configurable .. many options to deal with the differences between directories and schema.
- Uses both memory and db based caching to improve performance.
- Now supports LARGE directories Updated.
- Searches Groups more efficiently using Member.
- Recurses up the tree to find subgroups.
- Can expand directory groups into the Trac namespace.
See: TheoryOfOperation
Bugs/Feature Requests
Existing bugs and feature requests for DirectoryAuthPlugin are here.
If you have any issues, create a new ticket.
defect |
54 / 55 |
||
---|---|---|---|
enhancement |
11 / 11 |
||
task |
2 / 2 |
Download
Download the zipped source from [download:directoryauthplugin here]
Source
You can check out DirectoryAuthPlugin from here using Subversion, or browse the source with Trac.
Installation
Prerequisites
- You must install AccountManagerPlugin in order to use this plugin.
- Python-LDAP is also required.
- For SSL, you will have to install and configure OpenSSL to work with valid certificates. You can test using
ldapsearch -Z
.
Installation steps
Follow the Trac documentation on how to install Trac plugins.
- Starting with v0.3, a database upgrade will be required as part of the installation.
- Install the plugin and its prerequisites
- Update the database:
trac-admin /var/trac/instance upgrade
- Restart the tracd service or your webserver.
Common Errors
- When using SSL, the server won't authenticate. Make sure you can use
ldapsearch -Z
with the same parameters from the same host, and resolve the issues there. A handy way to do that is to use:joe@admin > ldapsearch -d8 -Z -x -b dc=base,dc=net -D binding@base.net -W -H ldaps://ldap.base.net -s one 'objectclass=person'
The-d8
should show you TLS errors.
- If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct, then try connect to Active Directory on port 3268. This may happen when AD is running across multiple machines.
Recent Changes